Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-29-2020, 08:41
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 63
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 23
Thanks Rcvd at 93 Times in 37 Posts
phroyt Reputation: 7
Lightbulb Reading File Version from Memory

I faced a strange problem:
GetFileVersionInfoSize And GetFileVersionInfo return nothing from an .EXE file with a valid RT_VERSION.

Using Resource Hacker the Record List appear as italic.
What I don't know what means, But the record is there.

By the way, my goal is to determinate the version of running executable that loaded my Proxy DLL.

The workaround was read the RT_VERSION resource using HInstance value from already loaded data into memory.

Code:
function FileVersion(Module: HINST = 0): String;
var
  verblock:PVSFIXEDFILEINFO;
  versionMS,versionLS:cardinal;
  verlen:cardinal;
  rs:TResourceStream;
  m:TMemoryStream;
  p:pointer;
  s:cardinal;
begin
  m:=TMemoryStream.Create;
  try
    if Module = 0 then
      Module := HInstance;

    rs:=TResourceStream.CreateFromID(Module,1,RT_VERSION);
    try
      m.CopyFrom(rs,rs.Size);
    finally
      rs.Free;
    end;
    m.Position:=0;
    if VerQueryValue(m.Memory,'\',pointer(verblock),verlen) then
      begin
        VersionMS:=verblock.dwFileVersionMS;
        VersionLS:=verblock.dwFileVersionLS;
        Result:=
          IntToStr(versionMS shr 16)+'.'+
          IntToStr(versionMS and $FFFF)+'.'+
          IntToStr(VersionLS shr 16)+'.'+
          IntToStr(VersionLS and $FFFF);
      end;
    if VerQueryValue(m.Memory,PChar('\\StringFileInfo\\'+
      IntToHex(GetThreadLocale,4)+IntToHex(GetACP,4)+'\\FileDescription'),p,s) or
        VerQueryValue(m.Memory,'\\StringFileInfo\\040904E4\\FileDescription',p,s) then //en-us
          Result:=PChar(p)+' '+Result;
  finally
    m.Free;
  end;
end;
The Module param can be omitted to load my DLL HInstace value, or can give the value using
Code:
GetModuleHandle(nil);
to find Main Module (EXE) HInstance.
Reply With Quote
  #2  
Old 04-29-2020, 10:49
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 24
Rept. Rcvd 102 Times in 48 Posts
Thanks Given: 46
Thanks Rcvd at 474 Times in 193 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
You can lookup the proper translation ids that the file offers via: VerQueryValueA/VerQueryValueW
They can be requested via the following lookup property: \\VarFileInfo\\Translation

MSDN shows an example of doing that here:
https://docs.microsoft.com/en-us/windows/win32/api/winver/nf-winver-verqueryvaluea

This way you don't have to hardcode it to English only, or guess. Using GetACP won't guarantee a valid number either, as that is specific to the system and not the file.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
phroyt (04-29-2020)
  #3  
Old 04-29-2020, 11:06
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 63
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 23
Thanks Rcvd at 93 Times in 37 Posts
phroyt Reputation: 7
What kind of protection is this below?

Code:
https://i.stack.imgur.com/70pG4.png
I can't read the resources in standard way.
Even save after changes.

Tried to inject a DLL using LordPE but it's also blocked.
Attached Images
File Type: png 70pG4.png (81.4 KB, 3 views)

Last edited by phroyt; 04-29-2020 at 11:12.
Reply With Quote
  #4  
Old 04-29-2020, 15:57
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 24
Rept. Rcvd 102 Times in 48 Posts
Thanks Given: 46
Thanks Rcvd at 474 Times in 193 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
That picture isn't a protection, just a manifest file that tells Windows the kind of requirements and access level the application expects/needs to run properly. Generally, it's used to request elevated permissions.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
  #5  
Old 04-29-2020, 23:21
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 63
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 23
Thanks Rcvd at 93 Times in 37 Posts
phroyt Reputation: 7
Talking

Sorry,

I'm not arguing about manifest.
I know what it means.

I don't understand what makes a executable locked from resource changing.
As you can see, even the "Save As" button is disabled.

This image shows Resource Hacker with italic items:
https://imgur.com/eLUbofr

This image shows Resource Hacker with normal items:
https://imgur.com/ioEm72Q
Reply With Quote
  #6  
Old 04-30-2020, 05:47
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 24
Rept. Rcvd 102 Times in 48 Posts
Thanks Given: 46
Thanks Rcvd at 474 Times in 193 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
That would be specific to the tool itself, you'd have to ask the author of it for help as to why. Could be any number of things.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
  #7  
Old 04-30-2020, 12:28
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 559
Rept. Given: 6
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 472
Thanks Rcvd at 835 Times in 392 Posts
chants Reputation: 35
Is this just an NTFS file or other permission issue? Perhaps the executable is read execute or the like. Certainly most editors will gray out save options. You could try running it elevated or as whatever service or the SYSTEM account with runas.

Why the version query fails might also have to do with integrity levels and permissions checks. I would research exact details here as I assume this is straight forward to resolve without a potentially complicated workaround given the multilingual issues etc
Reply With Quote
  #8  
Old 05-01-2020, 04:18
Kurapica's Avatar
Kurapica Kurapica is offline
VIP
 
Join Date: Jun 2009
Location: Archives
Posts: 136
Rept. Given: 13
Rept. Rcvd 129 Times in 37 Posts
Thanks Given: 27
Thanks Rcvd at 231 Times in 50 Posts
Kurapica Reputation: 100-199 Kurapica Reputation: 100-199
I have version 4.5.30 of Resource Hacker

I was curios to know why it sets the font style to italic in the TreeView when opening a new file


Code:
00705308                                     | 8B45 F4                   | mov eax,dword ptr ss:[ebp-C]                            |
0070530B                                     | 8B80 E0060000             | mov eax,dword ptr ds:[eax+6E0]                          |
00705311                                     | 8B16                      | mov edx,dword ptr ds:[esi]                              |
00705313                                     | E8 00DFEFFF               | call                         |
00705318                                     | 8B45 F4                   | mov eax,dword ptr ss:[ebp-C]                            |
0070531B                                     | 8B80 E0060000             | mov eax,dword ptr ds:[eax+6E0]                          |
00705321                                     | 8078 16 00                | cmp byte ptr ds:[eax+16],0                              |
00705325                                     | 74 1A                     | je resourcehacker.705341                                |
00705327                                     | 8B45 F4                   | mov eax,dword ptr ss:[ebp-C]                            |
0070532A                                     | 8B80 C8030000             | mov eax,dword ptr ds:[eax+3C8]                          |
00705330                                     | 8B40 74                   | mov eax,dword ptr ds:[eax+74]                           |
00705333                                     | 0FB615 B8557000           | movzx edx,byte ptr ds:[7055B8]                          |
0070533A                                     | E8 AD51DCFF               | call                            |
0070533F                                     | EB 18                     | jmp resourcehacker.705359                               |
00705341                                     | 8B45 F4                   | mov eax,dword ptr ss:[ebp-C]                            |
When it returns from "resourcehacker.sub_603218" , if "byte ptr ds:[eax+0x16] = 0" it won't set font style to italic.
Enter "resourcehacker.sub_603218" and you will see it checks the file for several conditions

Before entering "resourcehacker.sub_603218" you will notice this byte is set to 1
and later in that function it's set to 0

00603425 | C640 16 00 | mov byte ptr ds:[eax+16],0
|
Code:


0060329D                                     | 50                        | push eax                                                |
0060329E                                     | E8 49F8E0FF               | call                                  |
006032A3                                     | 8945 F0                   | mov dword ptr ss:[ebp-10],eax                           |
006032A6                                     | 837D F0 FF                | cmp dword ptr ss:[ebp-10],FFFFFFFF                      |
006032AA                                     | 0F84 AC000000             | je resourcehacker.60335C                                |
006032B0                                     | 33C0                      | xor eax,eax                                             |
006032B2                                     | 55                        | push ebp                                                |
006032B3                                     | 68 F3326000               | push resourcehacker.6032F3                              |
006032B8                                     | 64:FF30                   | push dword ptr fs:[eax]                                 |
006032BB                                     | 64:8920                   | mov dword ptr fs:[eax],esp                              |
006032BE                                     | 8B45 FC                   | mov eax,dword ptr ss:[ebp-4]                            |
006032C1                                     | 83C0 4C                   | add eax,4C                                              |
006032C4                                     | 50                        | push eax                                                |
006032C5                                     | 8B45 FC                   | mov eax,dword ptr ss:[ebp-4]                            |
006032C8                                     | 83C0 44                   | add eax,44                                              |
006032CB                                     | 50                        | push eax                                                |
006032CC                                     | 8B45 FC                   | mov eax,dword ptr ss:[ebp-4]                            |
006032CF                                     | 83C0 3C                   | add eax,3C                                              |
006032D2                                     | 50                        | push eax                                                |
006032D3                                     | 8B45 F0                   | mov eax,dword ptr ss:[ebp-10]                           |
006032D6                                     | 50                        | push eax                                                |
006032D7                                     | E8 28F9E0FF               | call                                  |
006032DC                                     | 33C0                      | xor eax,eax                                             |
006032DE                                     | 5A                        | pop edx                                                 |
006032DF                                     | 59                        | pop ecx                                                 |
006032E0                                     | 59                        | pop ecx                                                 |
So most probably it's a file permissions issue in your case.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 22:17.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )